Example of Importing User Accounts Using Active Directory

Download this manual as a PDF file

This section will walk you through an example of importing a user account from Active Directory. Although this chapter will illustrate the steps and concepts for this task, the values are specific to the example Active Directory server and will not work on your Active Directory system.

Although some of the values in this example are specific to Active Directory, you can use a very similar example to import user accounts from LDAP.

Use the following menu options to navigate the SL1 user interface:

  • To view a pop-out list of menu options, click the menu icon ().
  • To view a page containing all of the menu options, click the Advanced menu icon ().

Required Tasks

To configure SL1 to automatically create accounts for existing LDAP or AD users, you must perform the following steps:

  1. Create one or more user policies that define account properties and privilege keys in SL1 for imported LDAP users or AD users.
  • When creating the user policy, you must select LDAP/Active Directory in the Authentication Method field.
  • You can create more than one user policy for imported user accounts.
  • Later, in the LDAP/AD Auth Resource Editor page (System > Settings > Authentication > Resources > create/edit LDAP/AD Resource), you specify the user policy to apply to imported user accounts.
  1. Create an LDAP or AD credential that allows SL1 to read from (and optionally, write to) the LDAP or AD directory.
  1. Define the LDAP/AD Authentication Resource.
  • Specify how SL1 should communicate and exchange information with the LDAP or Active Directory server.
  • Specify how SL1 should map LDAP or AD attribute values to fields in the Account Properties page.
  • Specify whether SL1 should remain synced with the LDAP/AD server. If an LDAP or AD administrator makes changes to an account, SL1 can automatically retrieve those updates and apply them to the user's account in SL1 (in the Account Properties page) the next time the user logs in to SL1.
  1. Define one or more Authentication Profiles that tell SL1 how to recognize LDAP/AD users and which Authentication Resource to use with those users.
  2. After completing these steps:
  • Each LDAP/AD user must log in to SL1 using the LDAP or AD username and the LDAP or AD password.
  • SL1 will examine the hostname or IP address in the incoming URL request to align the user with an Authentication Profile.
  • The Authentication Profile tells SL1 which Authentication Resources to use to authenticate the user.
  • SL1 will use the settings and the credentials defined in the LDAP/AD Authentication Resource to query the LDAP or AD directory to authenticate each user.
  • Optionally, SL1 will use the mappings and the user policy specified in the LDAP/AD Authentication Resource to create each user account. The username will match the Search Field in the LDAP/AD Authentication Resource.

Example Entry in Active Directory

Suppose we have an entry in Active Directory that looks like this:

NOTE: For details on how the attribute names map to the page displays in Active Directory, see the appropriate Active Directory documentation.

# kgibson, Users, ScienceLogicHQ, sciencelogic.local

dn: samaccountname=kgibson,ou=Users,ou=ScienceLogicHQ,dc=sciencelogic,dc=local

samaccountname: kgibson

cn: Kate Gibson

userPassword:: ilovedocs!

department: documentation

streetaddress: 12369 Sunrise Valley Drive

l: Reston

st: VA

c: US

postalCode: 20191

mail: kgibson@sciencelogic.com

telephoneNumber: 703-354-1010

facsimiletelphonenumber: 571-336-8000

mobile: 703-354-1011

pager: 703-354-1111

givenName: Kate

sn: Gibson

 

In this entry, we have a user named "kgibson", who resides in the ou called "Users", in the ou called "ScienceLogicHQ" in the domain "sciencelogic.local". We'll use this information when configuring SL1 to authenticate this user.

Creating a User Policy

When you configure SL1 to automatically create user accounts for Active Directory users or LDAP users, you must define one or more user policies for those imported accounts. Because you will not be creating the accounts manually and then manually defining the account properties, SL1 uses the user policy to define the properties for the user account.

For our example, we performed the following:

  1. Go to the User Policies page (Registry > Accounts > User Policies).
  2. Click the Create button. The User Policy Properties Editor page appears.
  3. In the User Policy Properties Editor page, we supplied the following values:
  • Policy Name. Name of the user policy. Can be any combination of alphanumeric characters, up to 64 characters in length. We entered AD_Imported.
  • Login State. Specifies whether user accounts created with the policy can log in to SL1. We selected Active. This means that as soon as the policy creates an account, the account user can log in to SL1.
  • Account Type. This drop-down contains an entry for each standard account type. These account types affect the list of Access Keys for the user. We selected User.
  • User. Accounts of type "user" are assigned Access Keys. Access Keys are customizable by the administrator and grant users access to pages and tabs and permit users to view information and perform tasks in SL1. These Access Keys are defined by the system administrator from the Access Keys page (System > Manage > Access Keys).
  • Password Strength, Password Expiration, Password Shadowing, Require Password Reset. These fields aren't used for LADAP/AD Authentication, so you can skip these fields.
  • Password Strength. We selected Good. The user's password must have a strength of Good to be authenticated.
  • Password Expiration. We selected 60 days. After 60 days the user will be forced to change their password.
  • Password Shadowing. We selected Default. The user will not be able to reuse any password from the past year.
  • Require Password Reset. We did not select this checkbox. The user will not have to reset their password at their next login.
  • Authentication Method. We selected LDAP/Active Directory. This selection is required. The user's username and password will then be authenticated by the Active Directory server or the LDAP server.
  • Restrict to IP. We left this field blank. If selected, the user will be allowed to access SL1 only from the specified IP. Specify the IP address in standard dotted-decimal notation.
  • Event Console Default Display. Specifies how the Event Console page will appear by default. We chose Flat events table.

  • Ticket Queue Memberships. We highlighted the ticket queues specifying which users will be members. In our example, this is Documentation.
  • Primary Organization. Specifies the primary organization. We selected System. This will be the default organization for user accounts created with this policy. You can select from a list of all organizations in SL1.
  • Theme. Backgrounds, colors, fonts, and graphics that will appear when a user logs in. We selected ScienceLogic: White + Blue Titlebars.
  • Time Zone. The time zone to associate with each user account created with this user policy. We selected New_York. Dates and times in SL1 will be displayed for the selected time zone.
  • Organization Memberships. User accounts created with this user policy will be members of each selected organization. We did not select any additional organizations.
  • Privilege Keys. The Privilege Keys pane displays a list of Access Keys that can be assigned to the user's account. We selected Grant All. This means the user can access all parts of SL1 (but cannot create or edit additional Access Keys).
  • Re-Apply All Settings to All Policy Members. We left this field unchecked.
  1. Click the Save button to save your new user policy.

Creating a Credential for Active Directory

When you configure SL1 to automatically create user accounts for Active Directory users, you must define one or more credentials, so SL1 can communicate with the Active Directory server. SL1 must communicate with the AD server, both to authenticate each user and to retrieve information about each user to include in each user's user account.

For our example, we performed the following:

  1. Go to the Credential Management page (System > Manage > Credentials).
  2. Click the Actions menu, then select LDAP/AD Credential.
  3. The Credential Editor modal page appears. In this page, you can define the new credential.
  4. Supply a value in each of the following fields:
  • Profile Name. Name of the credential. We specified ScienceLogic AD.
  • LDAP Type. Specifies the type of LDAP implementation running on the directory server. We selected Active Directory.
  • Hostname/IP. Hostname or IP address of the Active Directory server. We supplied the IP address of the Active Directory server (192.168.10.21).
  • Secure. Specifies whether you are using the "LDAP over SSL" protocol. We selected No.
  • Port. Port number on the LDAP or Active Directory server to which SL1 will send requests. We accepted the default port value (389).
  • Timeout. We accepted the default value of 10000.
  • RDN (Bind DN / bind user). This field specifies the bind DN. The bind DN is an account on the Active Directory server or the LDAP server that is allowed to search the directory within the specified search base. We entered:

%u@%d

This says that the bind DN "kgibson@ScienceLogic.local" will allow SL1 to authenticate the user and retrieve information about that user.

  • In SL1, the %u variable stores the latest username from the login page.
  • In SL1, the %d variable stores the value specified in the field LDAP Domain.
  • To configure SL1 to automatically create accounts when a user logs in with an AD name and password, you must include the %u variable in this field.
  • When an AD user logs in to SL1, SL1 stores the username in the %u variable. SL1 then uses the %u variable to build the bind DN, uses the bind DN to communicate with the AD server, and then asks the AD server to authenticate the current user.
  • LDAP Domain. If your LDAP or Active Directory configuration includes multiple domains, specify the domain components to bind to in this field. We entered ScienceLogic.local.
  • Bind Password. Password that allows access to the Active Directory server or the LDAP server. In most cases, when you specify a bind password in a credential, you are creating a "write" credential (that is, a credential that allows SL1 to make changes to the LDAP or AD server). We left this field blank.
  • User Search Base. Specify where in the AD directory to find the user accounts to import, using RDN notation. The search base tells SL1 which part of the external directory tree to search. We entered:

ou=Users,ou=ScienceLogicHQ,dc=ScienceLogic,dc=local

This specifies that SL1 can import any Active Directory account in the ou "Users", in the parent ou "ScienceLogicHQ", in the domain "ScienceLogic.local". Any users in any ou that is a child to the ou "Users" will also be imported.

NOTE: For details on search syntax for Active Directory, see http://msdn.microsoft.com/en-us/library/aa746475(VS.85).aspx. For details on the search syntax for LDAP, see http://www.faqs.org/rfcs/rfc2254.html.

  • User Search Scope. Specify whether SL1 should search only the directory specified in the User Search Base field or whether SL1 should search the directory specified in the User Search Basefield and all its child branches. We selected One Level.
  1. Click the Save button to save your changes to the credential.

Creating an LDAP/AD Authentication Resource

An Authentication Resource is a configuration policy that describes how SL1 should communicate with a user store. In this section, the user store is an Active Directory user store. The LDAP/AD Auth Resource Editor page allows you to define an Authentication Resource for use with an AD user store. An LDAP/AD Authentication Resource specifies the connector (communication software) to use to communicate with the AD user store and the credential to use to connect to the user store. An LDAP/AD Authentication Resource can also map attributes from the user's AD account to fields in the user account on SL1.

To create an LDAP/AD Authentication Resource:

  1. Go to the Authentication Resource Manager page (System > Settings > Authentication > Resources).
  2. In the Authentication Resource Manager page, click the Actions menu and then select Create LDAP/AD Resource. The LDAP/AD Auth Resource Editor page appears.
  3. Enter values in the following fields:

Basic Settings

  • Name. Name of the LDAP/AD Authentication Resource. Enter Import_AD_Resource.
  • User Display Name. User's username, email address, or preferred display name. This value is determined by the user's authentication resource settings. This drop-down field includes the following options:
  • disable. Uses the current default behavior, which displays the user's username in the SL1 user interface and in the logs.
  • e-mail address. Displays the user's email address in the SL1 user interface and in the logs.
  • user principal name. Displays the value from the UPN field on this page in the SL1 user interface and in the logs.
  • UPN. The value that displays in the SL1 user interface and in the logs. If you select user principal name in the User Display Name field, then the value from this field displays in the SL1 user interface and in the logs. This field is blank by default for all existing (pre-11.2.1) authentication resources, but can be manually updated.
  • Read Credential. Select the credential we created earlier, ScienceLogic AD. This credential allows SL1 to read data from an Active Directory server.
  • Write Credential. Leave this field blank.

NOTE: Your organization membership(s) might affect the list of credentials you can see in the Read Credential field and the Write Credential field.

  • User Name Suffix. Leave this field blank.
  • Search Filter. Specifies where to find the user's account information in Active Directory. Enter the following:

(samaccountname=%u)

This says to search for the samaccountname attribute that matches the login name (entered when the user logs in to SL1 and then store in the variable %u).

  • Sync directory values to EM7 on login. If the AD administrator makes changes to an AD account, SL1 will automatically retrieve those updates and apply them to the user's account in SL1 (in the Account Properties page) the next time the user logs in to SL1.
  • Sync EM7 values to directory on save. If an administrator made changes to the user account in SL1, SL1 will automatically write those changes to the user's account in LDAP or Active Directory. This option requires a write credential.

Attribute Mapping

If you have configured SL1 to automatically create accounts in SL1 for AD users, these fields specify the AD attribute value that will be automatically inserted into each field in each user's Account Properties page.

SL1 automatically populates as many of these fields as possible. You can edit or delete the default values provided by SL1.

For example, SL1 automatically inserts the value of the AD attribute "sn" (surname) into the Last Name field in each user's Account Properties page (Registry > Devices > Device Manager.

NOTE: SL1 requires that the LDAP or AD attribute name that you specify in each field uses all lowercase characters.

  • First Name. Specifies the AD attribute value that will be automatically inserted into the First Name field in each user's Account Properties page. By default, SL1 inserts the value of the AD attribute "givenname" into this field. We accepted the default value.
  • Last Name. Specifies the AD attribute value that will be automatically inserted into the Last Name field in each user's Account Properties page. By default, SL1 inserts the value of the AD attribute "sn" into this field. We accepted the default value.
  • Phone. Specifies the AD attribute value that will be automatically inserted into the Phone field in each user's Account Properties page. By default, SL1 inserts the value of the AD attribute "telephonenumber" into this field. We accepted the default value.
  • Mobile. Specifies the AD attribute value that will be automatically inserted into the Mobile field in each user's Account Properties page. By default, SL1 inserts the value of the AD attribute "mobile" into this field. We accepted the default value.
  • Primary Email. Specifies the AD attribute value that will be automatically inserted into the Primary Email field in each user's Account Properties page. By default, SL1 inserts the value of the AD attribute "mail" into this field. We accepted the default value.
  • Street Address. Specifies the AD attribute value that will be automatically inserted into the Street Address field in each user's Account Properties page. By default, SL1 inserts the value of the AD attribute "streetaddress" into this field. We accepted the default value.
  • Suite/Building. Specifies the AD attribute value that will be automatically inserted into the Suite/Building field in each user's Account Properties page.
  • City. Specifies the AD attribute value that will be automatically inserted into the City field in each user's Account Properties page. By default, SL1 inserts the value of the AD attribute "l" into this field. We accepted the default value.
  • State. Specifies the AD attribute value that will be automatically inserted into the State field in each user's Account Properties page. By default, SL1 inserts the value of the AD attribute "st" into this field. We accepted the default value.
  • Postal Code. Specifies the AD attribute value that will be automatically inserted into the Postal Code field in each user's Account Properties page. By default, SL1 inserts the value of the AD attribute "postalcode" into this field. We accepted the default value.
  • We accepted the default values (usually a blank field) in all other fields.

User Policy Alignment

  • Type. Specifies whether SL1 should automatically create accounts in SL1 for each LDAP or Active Directory user in the search base (which is specified in the credential), whether SL1 should simply use LDAP or Active Directory to authenticate one or more users, or whether SL1 will refuse to authenticate specific users. We selected :
  • Static policy alignment. If an LDAP or AD user logs in to SL1 using the LDAP or AD attribute specified in the Search Filter field, SL1 will automatically create an account for that user. SL1 will use one user policy (specified in the Policy field) to create all imported LDAP or AD user accounts. SL1 will also use the settings and credentials specified in this page when creating the account.

If you selected Static policy alignment in the Type field, you must supply a value in the Policy field:

  • Policy. Specifies the user policy to use to automatically create an account in SL1 for each LDAP or AD user. Select from a list of all user policies that specify LDAP /Active Directory in the Authentication Method field. We selected the User Policy we created earlier, AD_Imported.

  1. Click the Save button to save your changes to the new Authentication Resource.

Creating an Authentication Profile

An Authentication Profile is a policy for user authentication. Authentication Profiles align user accounts with one or more Authentication Resources.

  • Alignment by pattern matching. SL1 uses the URL or IP address that a user enters in a browser to connect to an Administration Portal, Database Server, or All-In-One Appliance. If the URL or IP address matches the criteria specified in an authentication profile, SL1 will automatically use the matching profile to perform user authentication.
  • Credential Source. Specifies from where SL1 should extract the user name and password or certificate to be authenticated. These credentials are passed to SL1 via HTTP. SL1 then passes the credentials to each Authentication Resource specified in the Authentication Profile. The Authentication Resources authenticate the credentials with user stores.
  • Authentication Resource. Specifies the connector to use to communicate with the user store, the credential to use to connect to the user store (if applicable), and the URLs to examine during authentication. Also maps attributes from the user's account in the user store to fields in the SL1 user account.
  • Multi-factor Resource. Specifies the connector to use to communicate with the multi-factor endpoint. A Multi-factor Resource specifies the hostname or IP address of the Authentication Agent, the access key for communicating with the endpoint, and the URL of the RSA REST endpoint.

The Authentication Profiles page allows you to create a new authentication profile. To do so:

  1. Go to the Authentication Profiles page (System > Settings > Authentication > Profiles).
  2. Click the Create button. The Authentication Profile Editor modal page appears.
  3. In the Authentication Profile Editor modal page, you can define the new authentication profile.
  • Name. Name of the Authentication Profile. We entered Import_AD_Profile.
  • Priority Order. If SL1 includes multiple Authentication Profiles, SL1 evaluates the Authentication Profiles in ascending priority order. SL1 will apply the first Authentication Profile that matches the Hostname or IP in the current URL AND has the lowest value in the Priority Order field. We accepted the default value, 1.
  • Pattern Type. Specifies how SL1 will evaluate the value in the AP Hostname Pattern field. We selected Wildcard. SL1 will perform a text match, with wildcard characters (asterisks).
  • AP Hostname Pattern. This field is used to match the URL or IP address that a user enters in a browser to connect to an Administration Portal, Database Server, or All-In-One Appliance. If the URL or IP address matches the value in this field, SL1 applies the Authentication Profile to the user for the current session. We entered *.sciencelogic.com in this field.

SL1 will apply the Authentication Profile to each session on an Administration Portal, Database Server, or All-In-One Appliance where the user enters a URL ending with ".sciencelogic.com" into the browser.

  • Available Credential Sources. This field tells SL1 how to retrieve the user's credentials from the HTTP request to SL1. To align a credential source with the Authentication Profile, highlight the credential source and click the right-arrow button. You can select zero, one, or multiple credential sources for the Authentication Profile. We selected:
  • EM7 Login Page. SL1 will retrieve a user name and password from SL1 login page fields.
  • Aligned Credentials Sources. This field displays the list of credential sources that have been aligned with the Authentication Profile. The Authentication Profile will examine each credential source in the order in which it appears in this list. When the Authentication Profile finds the user's credential, the Authentication Profile stops examining any remaining credential sources in the list.
  • Available Authentication Resources.This field tells SL1 which Authentication Resources to use to authenticate the retrieved credentials. To align an Authentication Resource with the Authentication Profile, highlight the Authentication Resource and click the right-arrow button. You must select at least one Authentication Resource and can select more than one. We selected EM7 Internal.
  • Aligned Authentication Resources. This field displays the list of Authentication Resources that have been aligned with the Authentication Profile. The Authentication Profile will examine each Authentication Resource in the order in which it appears in this list. When an Authentication Resource successfully authenticates the user, the Authentication Profile stops executing any remaining Authentication Resources in the list.
  • Available Multi-factor Resources. This field tells SL1 which Multi-factor Resources to use to perform multi-factor authentication. To align an Multi-factor Resource with the Authentication Profile, highlight the Multi-factor Resource and select the right-arrow button.

  • Aligned Multi-factor Resources. This field displays the list of Multi-factor Resources that have been aligned with the Authentication Profile. The Authentication Profile will examine each Multi-factor Resources in the order in which it appears in this list. When a Multi-factor Resource successfully authenticates the user, the Authentication Profile stops executing any remaining Multi-factor Resources in the list.

NOTE: For details on configuring multi-factor authentication, see the section on using multi-factor authentication.

  1. Click the Save button to save your changes to the new authentication profile.

User Login to SL1

After completing the steps in this chapter:

  1. Suppose user "kgibson" logs in to SL1 with the following credentials:
  • Account: kgibson
  • Password: ilovedocs!
  1. SL1 will look for an account with an Account Login Name of "kgibson".
  2. When examining the user's account information, SL1 will discover that this user login is to be authenticated with AD.
  3. SL1 will check the login request and match the originator's URL or IP address to an Authentication Profile. In our example, the originator's URL will match the Authentication Profile we created, Import_AD__Profile.
  4. The Authentication Profile will tell the platform to extract the user's credentials from the ScienceLogic Login page and to use the Authentication Resource we created, Import_AD_Resource.
  5. The Authentication Resource will tell SL1 to use the credential we created, ScienceLogic AD, to connect to the AD server. SL1 will connect to the AD server using the bind dn value from the RDN field in the credential. The value we entered was %u %d. So we will connect to the AD server using the username "kgibson" in the domain "sciencelogic.local".
  6. SL1 will search the AD server using the value specified in Search Filter field in the Authentication Resource. In our example, SL1 will search for a record where the samaccountname attribute contains the login name (entered when the user logs in to SL1).
  7. Based on the record found in the AD server, SL1 will ask the AD server to authenticate the username and password that were passed to the ScienceLogic Login page.
  8. After authentication, SL1 will retrieve values from the AD server to populate fields in the user's Account Properties page.